IBM Shipped USB Drives Filled With Malware to Customers

Whoops! If you own one of these USBs—destroy it.

If you're recently bought an IBM Storwize disk rack, you might have received an USB drive that contains the disk's initialization tool. If you're among some unlucky few, though, that USB drive also has malware in it.

IBM warned last week that "some" of the drives shipped to Storwize customers "contain a file that has been infected with malicious code" and these might have to be destroyed.

When customers launch the initialization tool from the USB drive, the malware copies itself to a temporary folder into the customer's computer. Luckily, according to IBM, the malicious file doesn't execute and doesn't infect the Storwize disks. It's unclear how the malware made it onto IBM-issued USB drives. The company declined to comment when Motherboard reached it via email on Tuesday.

If you think you received one of these drives, IBM suggests you run antivirus, or remove the folder (%TMP%\initTool on Windows and /tmp/initTool on Linux or Mac) where the malware placed itself onto inside your computer.

Moreover, IBM recommends physically destroying the USB flash drive "so that it can not be reused," or try to repair it by wiping it and disinfecting it with antivirus.

The incident seems relatively minor and IBM has done the right thing by alerting customers, but it still raises questions about the security of the company's supply chain and distribution process for these drives, and is a reminder not to trust random USBs too much, even if they come from a reputable company.